b'Audit Report\n\n\n\n\nOIG-12-028\nManagement Letter for the Audit of the Office of the\nComptroller of the Currency\xe2\x80\x99s Fiscal Years 2011 and 2010\nFinancial Statements\n\n\nDecember 16, 2011\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            December 16, 2011\n\n\n\n            MEMORANDUM FOR JOHN WALSH\n                           ACTING COMPTROLLER OF THE CURRENCY\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audits\n\n            SUBJECT:               Management Letter for the Audit of the Office of the\n                                   Comptroller of the Currency\xe2\x80\x99s Fiscal Years 2011 and 2010\n                                   Financial Statements\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of the Comptroller of the Currency\xe2\x80\x99s (OCC) Fiscal Years 2011\n            and 2010 financial statements. Under a contract monitored by the Office of\n            Inspector General, GKA, P.C. (GKA), an independent certified public accounting\n            firm, performed an audit of the financial statements of OCC as of\n            September 30, 2011 and 2010 and for the years then ended. The contract required\n            that the audit be performed in accordance with generally accepted government\n            auditing standards; applicable provisions of Office of Management and Budget\n            Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as\n            amended; and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, GKA issued and is responsible for the accompanying\n            management letter that discusses certain matters involving internal control over\n            financial reporting and its operation that were identified during the audit, but were\n            not required to be included in the auditor\xe2\x80\x99s reports.\n\n            In connection with the contract, we reviewed GKA\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where GKA did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or\n            a member of your staff may contact Ade Bankole, Manager, Financial Audits\n            at (202) 927-5329.\n\n            Attachment\n\x0c                                                                       1015 18th Street, NW\nCertified Public Accountants                                                Suite 200\n& Consultants                                                         Washington, DC 20036\n                                                                        Tel: 202-857-1777\n                                                                        Fax: 202-857-1778\n                                                                        www.gkacpa.com\n\n\n\n\nOFFICE OF THE COMPTROLLER OF THE CURRENCY\n            MANAGEMENT LETTER\n               FISCAL YEAR 2011\n\n\n                      October 31, 2011\n\n\n\n\n                               Member of the American Institute of Certified Public Accountants\n\x0c                 Certified Public Accountants\n                 & Consultants\n\n\n                          Inspector General, Department of the Treasury, and\nwww.gkacpa.com            the Comptroller of the Currency:\n\n                          We have audited the balance sheet as of September 30, 2011 and the related\n                          statements of net cost, changes in net position, and budgetary resources for the\n                          year then ended, hereinafter referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d, of the Office\n                          of the Comptroller of the Currency (OCC) and have issued an unqualified\n                          opinion thereon dated October 31, 2011. In planning and performing our audit\n                          of the financial statements of the OCC, we considered its internal control over\n                          financial reporting in order to determine our auditing procedures for the\n                          purpose of expressing our opinion on the financial statements and not to\n                          provide assurance on internal control. We have not considered the internal\n                          control since the date of our report.\n\n                          During our audit we noted certain matters involving OCC\xe2\x80\x99s information\n                          technology general controls that are presented in this letter for your\n                          consideration. The comments and recommendations, all of which have been\n                          discussed with the appropriate members of OCC management, are intended to\n                          improve OCC\xe2\x80\x99s information technology general controls or result in other\n                          operating efficiencies.\n\n                          OCC management\xe2\x80\x99s responses to our comments and recommendations have\n                          not been subjected to the auditing procedures applied in the audit of the\n                          financial statements and, accordingly, we do not express an opinion or provide\n                          any form of assurance on the appropriateness of the responses or the\n                          effectiveness of any corrective action described therein.\n\n                          We appreciate the cooperation and courtesies extended to us during the audit.\n                          We will be pleased to meet with you or your staff, at your convenience, to\n                          discuss our report or furnish any additional information you may require.\n\n\n\n\n                          October 31, 2011\n\n  1015 18th Street, NW\n        Suite 200\n Washington, DC 20036\n   Tel: 2011-01\n         202-857-1777\n   Fax: 202-857-1778\n                                                 Member of the American Institute of Certified Public Accountants\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2011\n\n\n\nImprovements Needed in Information Technology General Controls over OCC\xe2\x80\x99s Financial\nSystems (Repeat Condition).\n\nIn our fiscal year (FY) 2010 audit, we identified weaknesses in the areas of entity-wide security\nmanagement and contingency planning controls, and configuration management. We reported\nthese weaknesses to management in a management letter. In FY 2011, these two issues identified\nin the prior years remain partially unresolved. In addition, three new findings related to access\ncontrols, contingency planning and configuration management were identified.\n\nThe weaknesses noted in OCC\xe2\x80\x99s IT general controls are noted and discussed below.\n\n(A) Security Management and Contingency Planning\n\n   OCC\xe2\x80\x99s process for updating its Certification and Accreditation (C&A) documentation\n   needs improvement. (Repeat Condition).\n\n   As noted during our prior year audit, OCC\xe2\x80\x99s process for updating its Certification and\n   Accreditation (C&A) documentation needs improvement. Specifically, we noted the\n   following:\n\n   \xef\x82\xb7   The $MART Systems Security Plan (SSP) version 5.0 is not updated to meet NIST 800-\n       18 Revision 1 requirements. Specifically, we noted the following:\n           o The $MART SSP does not describe how each security control is being\n             implemented or planned to be implemented;\n           o The $MART SSP does not identify the scoping guidance that has been applied to\n             the security controls\n           o The $MART SSP does not identify any of the agency-defined parameters in the\n             security controls\n           o The $MART SSP does not describe how the common controls are implemented or\n             who is responsible for their implementation.\n           o The $SMART SSP does not accurately document the $MART operating\n             environment. Page Seven of the plan states that $MART is a commercial off the\n             shelf (COTS) application customized for the OCC and is based on PeopleSoft\n             Financials version 8.49. However $MART currently uses PeopleSoft Financials\n             version 8.9.\n\n   \xef\x82\xb7   The Network Infrastructure (NI) General Support System (GSS) Systems Security Plan\n       (SSP) has not been updated to reflect the OCC\'s current operating environment or the\n       NIST 800-53 Revision 3 controls.\n\n\n                                                2\n\x0c                   Office of the Comptroller of the Currency\n               Management Letter Comments and Recommendations\n                        Year Ended September 30, 2011\n\nSpecifically, we noted the following:\n       o Several NIST 800-53 Revision 3 controls are not accurately reflected in the NI\n         GSS SSP. For example, the AC-12, Session Termination, and AC-13,\n         Supervision and Review\xe2\x80\x94Access Control, have been withdrawn from 800-53\n         Revision 3, but are still documented within the SSP.\n       o The "organizationally-defined" frequencies and values defined by NIST 800-53\n         Revision 3 have not been documented within the NI GSS SSP. Additionally, the\n         Compliance descriptions do not address whether the "organizationally-defined"\n         controls are in place or planned. For example the RA-5 control does not address\n         the organizationally-defined timeframe for remediating security vulnerabilities\n       o Section 1.6.2, System Interconnections/Information Sharing, has not been updated\n         to reflect accurate agreement dates for the Memorandum of Understanding and\n         Interconnection Security Agreements in place.\n       o Section 1.8, Privacy Impact Assessment, states that, the NI GSS Privacy Impact\n         Assessment (PIA) was revised and reviewed in October 2008, but has not been\n         approved as of the date of this document. However, we noted that the NI GSS\n         PIA was actually completed and approved.\n       o Section 2.3.4, Risk Assessment (RA-3), has not been updated with the current Risk\n         Management Framework information such as the October 2009 Certification and\n         Accreditation information.\n       o Section 3.4.2, Contingency Plan (CP-2), states that the OCC Information\n         Technology Disaster Recovery Plan (ITRP), dated April 4, 2008, serves as the\n         Contingency Plan for the Network Infrastructure GSS; however there is an\n         updated version of the ITRP currently in place.\n\n\xef\x82\xb7   The $MART Contingency Plan has not been updated to reflect the current $MART\n    environment or NIST 800-34 Requirements. Specifically, we noted the following:\n       o The $MART Contingency Plan does not contain procedures for recovering the\n         $MART system in a disaster situation. Additionally, the recovery procedures are\n         not documented in the ITRP.\n       o The $MART Contingency Plan has not been updated to reflect the upgrade from\n         PeopleSoft 8.4 to PeopleSoft 8.9.\n\n\xef\x82\xb7   Network Infrastructure (NI) General Support System (GSS) Contingency Plan has not\n    been updated to reflect the NI environment or NIST 800-34 Requirements. Specifically,\n    we noted the following:\n       o The NI GSS Contingency Plan does not contain procedures for recovering the NI\n         system in a disaster situation. Additionally, the recovery procedures are not\n         documented in the ITRP.\n\n\n\n                                           3\n\x0c                    Office of the Comptroller of the Currency\n                Management Letter Comments and Recommendations\n                         Year Ended September 30, 2011\n\n        o NI GSS Contingency Plan states, \xe2\x80\x9cIBM Compatible 2013 Amdahl Mellenium\n          Mainframe running ZOS .14 Operating System is planned for decommission by\n          2008\xe2\x80\x9d; however there was no evidence available to show that this had actually\n          occurred.\n        o The NI GSS Contingency Plan states that the planned migration to Dell EMC\n          Storage Area Network (SAN) is set for 2007; however, the Dell EMC migration\n          has been completed and the NI GSS Contingency Plan has not been updated to\n          reflect the migration.\n\n\xef\x82\xb7   The $MART Security Assessment Report was not updated to reflect the upgrade from\n    PeopleSoft 8.4 to PeopleSoft 8.9\n\nThe current process for updating certification and accreditation documentation as changes\noccur in the OCC environment is not effective. As a part of the update of the $MART SSP,\ndetails were taken out that made the plan inconsistent with NIST 800-18 requirements. Also,\nOCC has not updated the system security plans for its major application and general support\nsystem to address the NIST 800-53 Revision 3 controls. Additionally, OCC created a\ndatabase to house its procedures for recovering information systems in disaster situations;\nhowever the procedures were not incorporated into the contingency plans for the $MART\nsystem or the Network Infrastructure.\n\nThe Planning Section of NIST 800-18 Guide for Developing Security Plans for Federal\nInformation Systems Revision 1, states the following:\n    \xef\x82\xb7   \xe2\x80\x9cThe purpose of the system security plan is to provide an overview of the security\n        requirements of the system and describe the controls in place or planned for meeting\n        those requirements. The system security plan also delineates responsibilities and\n        expected behavior of all individuals who access the system.\xe2\x80\x9d\n    \xef\x82\xb7   \xe2\x80\x9cThe system security plan provides a summary of the security requirements for the\n        information system and describes the security controls in place or planned for\n        meeting those requirements. The plan also may reference other key security-related\n        documents for the information system such as a risk assessment, plan of action and\n        milestones, accreditation decision letter, privacy impact assessment, contingency\n        plan, configuration management plan, security configuration checklists, and system\n        interconnection agreements as appropriate.\xe2\x80\x9d\n    \xef\x82\xb7   \xe2\x80\x9cAn agency must meet the minimum security requirements in this standard by\n        applying security controls selected in accordance with NIST SP 800-53 and the\n        designated impact levels of the information systems. An agency has the flexibility to\n        tailor the security control baseline in accordance with the terms and conditions set\n        forth in the standard. Tailoring activities include: (i) the application of scoping\n        guidance; (ii) the specification of compensating controls; and (iii) the specification of\n        agency-defined parameters in the security controls, where allowed. The system\n        security plan should document all tailoring activities.\xe2\x80\x9d\n\n                                              4\n\x0c                   Office of the Comptroller of the Currency\n               Management Letter Comments and Recommendations\n                        Year Ended September 30, 2011\n\n   \xef\x82\xb7   \xe2\x80\x9cFor efficiency in developing system security plans, common security controls should\n       be documented once and then inserted or imported into each system security plan for\n       the information systems within the agency. The individual responsible for\n       implementing the common control should be listed in the security plan.\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cSystem security plans should clearly identify which security controls employed\n       scoping guidance and include a description of the type of considerations that were\n       made. The application of scoping guidance must be reviewed and approved by the\n       authorizing official for the information system.\xe2\x80\x9d\n\nThe Planning Section of NIST 800-53 Recommended Security Controls for Federal\nInformation Systems and Organizations, Revision 3, states the following:\n\n   \xe2\x80\x9cControl: The organization:\n   a. Develops a security plan for the information system that:\n   - Is consistent with the organization\xe2\x80\x99s enterprise architecture;\n   - Explicitly defines the authorization boundary for the system;\n   - Describes the operational context of the information system in terms of missions and\n      business processes;\n   - Provides the security category and impact level of the information system including\n      supporting rationale;\n   - Describes the operational environment for the information system;\n   - Describes relationships with or connections to other information systems;\n   - Provides an overview of the security requirements for the system;\n   - Describes the security controls in place or planned for meeting those requirements\n      including a rationale for the tailoring and supplementation decisions; and\n   - Is reviewed and approved by the authorizing official or designated representative\n      prior to plan implementation;\n   b. Reviews the security plan for the information system [Assignment: organization-\n      defined frequency]; and\n   c. Updates the plan to address changes to the information system/environment of\n      operation or problems identified during plan implementation or security control\n      assessments.\xe2\x80\x9d\n\nThe Contingency Planning Section of NIST 800-53 Recommended Security Controls for\nFederal Information Systems and Organizations, Revision 3, states the following:\n   \xe2\x80\x9cControl: The organization:\n   a. Develops a contingency plan for the information system that:\n   -     Identifies essential missions and business functions and associated contingency\n         requirements;\n   -     Provides recovery objectives, restoration priorities, and metrics;\n   -     Addresses contingency roles, responsibilities, assigned individuals with contact\n         information;\n   -     Addresses maintaining essential missions and business functions despite an\n         information system disruption, compromise, or failure;\n\n                                           5\n\x0c                    Office of the Comptroller of the Currency\n                Management Letter Comments and Recommendations\n                         Year Ended September 30, 2011\n\n   -       Addresses eventual, full information system restoration without deterioration of the\n           security measures originally planned and implemented; and\n   -       Is reviewed and approved by designated officials within the organization;\n   b.   Distributes copies of the contingency plan to [Assignment: organization-defined list\n        of key contingency personnel (identified by name and/or by role) and organizational\n        elements];\n   c.   Coordinates contingency planning activities with incident handling activities;\n   d.   Reviews the contingency plan for the information system [Assignment: organization-\n        defined frequency];\n   e.   Revises the contingency plan to address changes to the organization, information\n        system, or environment of operation and problems encountered during contingency\n        plan implementation, execution, or testing; and\n   f.   Communicates contingency plan changes to [Assignment: organization-defined list of\n        key contingency personnel (identified by name and/or by role) and organizational\n        elements].\xe2\x80\x9d\n\nThe Security Assessment and Authorization Section of NIST 800-53 Recommended Security\nControls for Federal Information Systems and Organizations, Revision 3, states the\nfollowing:\n\n   \xe2\x80\x9cControl: The organization:\n   a. Develops a security assessment plan that describes the scope of the assessment\n      including:\n   -    Security controls and control enhancements under assessment;\n   -    Assessment procedures to be used to determine security control effectiveness; and\n   -    Assessment environment, assessment team, and assessment roles and\n        responsibilities;\xe2\x80\x9d\n\nOver time, policies and procedures may become inadequate because of changes in threats,\nchanges in operations or deterioration in the degree of compliance. Failure to update\ncertification and accreditation documentation increases the probability that OCC\nmanagement may not be aware of how system and environmental changes impact the OCC\xe2\x80\x99s\nability to recover from disaster situations. Additionally, risks may not be adequately\nidentified and corresponding controls implemented to address those risks.\n\nRECOMMENDATIONS:\n\nWe recommend the following:\n1. OCC management implement a process to ensure that C&A documentation is updated\n   timely in accordance with OCC policy and ensure that approvals are documented on file.\n2. Additionally, OCC should ensure that the information contained in the C&A\n   documentation is accurate and reflects the current system operating and organizational\n   environment.\n\n\n                                              6\n\x0c                   Office of the Comptroller of the Currency\n               Management Letter Comments and Recommendations\n                        Year Ended September 30, 2011\n\n3. OCC management should ensure that the $MART SSP is consistent with NIST 800-18\n   requirements\n\nMANAGEMENT RESPONSE:\n\nManagement concurs with the Finding and Recommendations. OCC management is in the\nprocess of taking corrective action, reincorporating control implementation into the current\n$MART System Security Plan, in order to bring it back into compliance with NIST Special\nPublication 800-18: Guide for Developing Security Plans for Federal Information Systems.\n\n1) OCC management ensured that all noted updates to the Network Infrastructure (NI)-\n   General Support System (GSS) operating environment were incorporated in the annual\n   System Security Plan review completed on October 29, 2011.\n\nAdditionally, OCC management will:\n\n2) Evaluate the NI-GSS documents and ensure that documentation utilizes controls outlined\n   in NIST Special Publication 800-53 Revision 3: Recommended Security Controls for\n   Federal Information Systems and Organizations, to include documented\n   \xe2\x80\x9corganizationally-defined\xe2\x80\x9d frequencies and values;\n3) Review the $MART System Security Plan, Contingency Plan, and Security Assessment\n   Report to ensure that the current system operating environment is documented to reflect\n   the upgrade of PeopleSoft to version 8.9; and\n4) Update the NI-GSS Contingency Plan and $MART Contingency Plans to reflect the\n   accurate operating environments of each system and to ensure they reference the correct\n   procedures for recovering the system in the event of a disaster.\n\n\n\n\n                                             7\n\x0c                      Office of the Comptroller of the Currency\n                  Management Letter Comments and Recommendations\n                           Year Ended September 30, 2011\n\n(B) Access Controls\n\n   Weaknesses in the OCC\xe2\x80\x99s process for managing service accounts.\n\n   Specifically, we noted the following:\n   \xef\x82\xb7   Seventy-seven service accounts on the OCC network had never logged on to the network\n       or had not logged on for more than one year; however there was no evidence that these\n       accounts had been reviewed to determine whether or not they were still necessary.\n   \xef\x82\xb7   Twenty-five active service accounts on the OCC network whose passwords have been set\n       to Never Expire; however, there was no evidence that their passwords had been changed\n       on an annual basis in accordance with OCC requirements.\n   \xef\x82\xb7   There was no evidence that service accounts on the SQL Server database supporting the\n       $MART application had been reviewed to determine whether or not they were still\n       necessary.\n   \xef\x82\xb7   One service account on the SQL Server database supporting $MART was identified as\n       having database administrator privileges. OCC policy states that service accounts must\n       not be granted administrator privileges.\n\n   OCC currently does not have a process in place for periodically reviewing service accounts\n   for appropriateness. Additionally, network passwords are not being changed for service\n   accounts in accordance with OCC policy.\n\n\n   The OCC Master Security Controls Catalog, states the following:\n   \xef\x82\xb7   \xe2\x80\x9dThe OCC manages information system accounts, including establishing, activating,\n       modifying, reviewing, disabling, and removing accounts. The organization reviews\n       information system accounts [monthly].\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cThe information system automatically disables inactive accounts after no more than [90\n       days].\xe2\x80\x9d\n\n   OCC Information Technology Services Directive, AC: Account Management, 01-02, version\n   090707, states\n       \xef\x82\xb7   Information Technology Services (ITS) is solely responsible for the issuance and\n           control of all Service Accounts that permit access to OCC information systems and\n           databases. ITS shall designate appropriate individuals within ITS (FTEs as well as\n           contractors) to manage the appropriate Service Accounts (such SQL server, Sybase\n           Server, SIS Application Services, WISDM Application Services).\n       \xef\x82\xb7   OCC Service Accounts must be dedicated to a specific, documented task, and are not\n           issued for general purposes\n\n\n\n                                               8\n\x0c                   Office of the Comptroller of the Currency\n               Management Letter Comments and Recommendations\n                        Year Ended September 30, 2011\n\n   \xef\x82\xb7   OCC Service Accounts must be granted the minimum necessary privileges to perform\n       the specific, documented task. ITS holds and maintains documentation on the\n       requirements for every Service Account.\n   \xef\x82\xb7   OCC Service Accounts must not be granted administrator privileges\n   \xef\x82\xb7   ITS shall maintain a current list of all OCC Service Accounts. This list will be made\n       available only on a need-to-know basis to authorized personnel. A list of accounts\n       will be made available to the OCC Computer Incident Response Center (CIRC) so\n       that compliance with the password standard can be monitored monthly.\n   \xef\x82\xb7   Service Account passwords must be reset after one year, at the departure of any staff\n       member with knowledge of the password, or when an application is moved into the\n       production environment.\n\nWithout an adequate process for periodic review of service accounts and passwords,\nunauthorized or unnecessary users may have access permissions to OCC systems and data.\n\nRECOMMENDATIONS:\n\nWe recommend the following:\n1. OCC management ensure that service accounts are periodically reviewed for\n   appropriateness.\n2. OCC ensure that passwords for service accounts are changed in accordance with OCC\n   policy.\n\nMANAGEMENT RESPONSE:\n\nManagement concurs with the Finding and Recommendations. OCC management will\nupdate policies and procedures related to the management of Service Accounts, ensuring\nalignment with relevant guidance and best practices. Additionally, OCC management will\ntrain appropriate staff in policies and procedures associated with Service Account\nmanagement and will enhance the current account management program to more closely\nmonitor Service Account compliance with applicable policies.\n\n\n\n\n                                            9\n\x0c                      Office of the Comptroller of the Currency\n                  Management Letter Comments and Recommendations\n                           Year Ended September 30, 2011\n\n\n(C) Contingency Planning\n\n   Backup tapes have not been tested on a quarterly basis for $MART and the Network\n   Infrastructure to ensure their viability, reliability and integrity in the event of a\n   disaster.\n\n   OCC informed us that backup tapes are tested on a semi-annual basis as a part of the\n   functional disaster recovery testing. However, testing had not occurred this year as of August\n   31, 2011 because of contract negotiations with the alternate site provider IBM. OCC\n   conducted a backup tape test as a part of a disaster recovery test in late September.\n\n   The OCC Master Security Controls Catalog, states the following:\n   \xef\x82\xb7   \xe2\x80\x9cOCC tests backup information on a quarterly basis to verify media reliability and\n       information integrity.\xe2\x80\x9d\n\n   Lack of adequate testing of backups increases the risk that OCC may not be able to recover\n   backup data in a disaster situation.\n\n   RECOMMENDATION:\n\n   1. We recommend that OCC periodically test backup tapes in accordance with OCC policy.\n\n   MANAGEMENT RESPONSE:\n\n   Management concurs with the Finding and Recommendation, noting exception with elements\n   of the condition. OCC Server and Storage Operations (SSO) conducts regular restoration of\n   servers that comprise the Network Infrastructure-General Support System. Since the\n   beginning of the calendar year, SSO has conducted ninety nine server recoveries, without\n   failure. As noted in the Notification of Finding and Recommendation, OCC conducted a\n   disaster recovery exercise, to include testing of the reliability of $MART backup media, prior\n   to the end of the fiscal year. Management will evaluate current OCC media testing\n   procedures and policy to ensure compliance with NIST guidance and Treasury Department\n   directives, and will take prudent steps to ensure the reliability of backup media.\n\n\n\n\n                                                10\n\x0c                      Office of the Comptroller of the Currency\n                  Management Letter Comments and Recommendations\n                           Year Ended September 30, 2011\n\n\n(D) Configuration Management\n\n   OCC\xe2\x80\x99s controls for configuring information systems in accordance with documented\n   baseline configurations need improvement.\n\n      Specifically, we noted the following:\n\n      \xef\x82\xb7   $MART MS SQL Server 2005 TCP port is set to 1433. However, the MS SQL Server\n          2005 baseline configuration states that SQL Server TCP Ports should be set to\n          something other than 1433 and 1434.\n\n      \xef\x82\xb7   The Default Domain Policy settings are not consistent with the Baseline\n          Configuration Settings for the Windows Server 2003. Specifically, the following\n          settings were not consistent with the documented baseline:\n              o Minimum Password Length\n              o Maximum password Age\n              o Enforce Password History\n              o Account lockout duration\n              o Audit Logon Events\n              o Audit Privilege Use\n              o Audit Object Access\n\n   OCC had not updated its system configurations and documented baselines to ensure that\n   system settings are consistent with the approved baselines\n\n   The OCC Master Security Controls Catalog, states the following:\n      \xef\x82\xb7 The OCC develops, documents, and maintains a current baseline configuration of the\n         information system.\n      \xef\x82\xb7 The OCC updates the baseline configuration of the information system as an integral\n         part of information system component installations.\n\n   The Configuration Management Section of NIST 800-53 Recommended Security Controls\n   for Federal Information Systems and Organizations, Revision 3, states the following:\n\n      \xe2\x80\x9cControl: The organization:\n      a. Establishes and documents mandatory configuration settings for information\n         technology products employed within the information system using [Assignment:\n         organization-defined security configuration checklists] that reflect the most restrictive\n         mode consistent with operational requirements;\n      b. Implements the configuration settings;\n\n\n\n\n                                                11\n\x0c                   Office of the Comptroller of the Currency\n               Management Letter Comments and Recommendations\n                        Year Ended September 30, 2011\n\n   c. Identifies, documents, and approves exceptions from the mandatory configuration\n      settings for individual components within the information system based on explicit\n      operational requirements; and\n   d. Monitors and controls changes to the configuration settings in accordance with\n      organizational policies and procedures.\xe2\x80\x9d\n\nDue to these weaknesses, system security configurations may not be adequately configured\nto mitigate risks to OCC\xe2\x80\x99s environment. This increases the risk that individuals may exploit\nvulnerabilities to obtain inappropriate access to OCC systems and data thus putting OCC\nsystems at risk of inadvertent or deliberate disclosure, modification, or destruction.\n\nRECOMMENDATION:\n\n1. We recommend that OCC management ensure that OCC system configurations are\n   consistent with the approved baselines.\n\nMANAGEMENT RESPONSE:\n\nManagement concurs with the Finding and Recommendation, noting exception with elements\nof the condition. Based on internal review of policy compliance scans of $MART servers,\nOCC management notes that several policy deviations referenced in the condition do not\nexist on $MART servers. OCC management will review current configurations and\ndocumented baselines to ensure compliance with relevant industry best practices and\nstandards, and applicable agency policy. OCC management will also evaluate the process for\nidentifying, documenting, and approving deviations from documented baseline\nconfigurations.\n\nUsers have administrative rights to install personal or public domain software on their\ndesktops. (Repeat Condition).\n\nAs noted during the prior year audit, although a process for removing and detecting\nunauthorized software is implemented as compensating controls, the controls do not fully\nmitigate the weakness. Users still have administrative rights to install personal or public\ndomain software on their desktops.\n\nOCC suspended the implementation of the Beyond Trust (BT) Project in anticipation of\nmigrating all user workstations to Windows 7. According to OCC, Windows 7 will allow\nOCC to remove administrative privileges while still giving applications the necessary\npermissions to execute. OCC also plans to establish a software white list to prevent the\ninstallation of unauthorized software.\n\nNIST Special Publication 800-53, Recommended Security Controls for Federal Information\nSystems, Revision 3 states:\n\n\n                                            12\n\x0c                   Office of the Comptroller of the Currency\n               Management Letter Comments and Recommendations\n                        Year Ended September 30, 2011\n\n\xe2\x80\x9cControl: The organization enforces explicit rules governing the installation of software by\nusers.\n\nSupplemental Guidance: If provided the necessary privileges, users have the ability to install\nsoftware. The organization identifies what types of software installations are permitted (e.g.,\nupdates and security patches to existing software) and what types of installations are\nprohibited (e.g., software whose pedigree with regard to being potentially malicious is\nunknown or suspect).\xe2\x80\x9d\n\nThe use of unapproved software by employees could negatively impact processing\noperations, introduce harmful viruses, and/or cause the loss of data.\n\nRECOMMENDATION:\n\n1. We recommend that OCC management continue with its plan to implement a software\n   solution to restrict users from installing and executing unauthorized software on OCC\n   workstations.\n\nMANAGEMENT RESPONSE:\n\nManagement concurs with the Finding and Recommendation. The OCC has elected to\naddress this issue as a part of upcoming technology refresh activities that are scheduled for\nFY2012.       OCC management has elected to deploy a United States Government\nConfiguration Baseline (USGCB) compliant Windows 7 desktop image with an enterprise\napplication control solution and standard user rights, replacing the current Windows XP\nimage with local administrator rights. This strategy will leverage existing large-scale\nprojects to address this weakness, and will limit identified risks associated with such a far\nreaching project. Until such time that this image is deployed, OCC management will\ncontinue to dedicate resources to enhance the detective compensating controls in place to\nlimit risk associated with the install of unauthorized software.\n\n\n\n\n                                             13\n\x0c'